By Sandro Melis and Bernhard Hartmann*
Energy companies are suffering from an increasing and unprecedented number of cyber-attacks. Last summer, a malware attack compromised the operations of more than 1,000 energy companies in North America and Europe. In 2013, hackers targeted 300 Norwegian oil and gas companies, just one year after hitting energy firms in Saudi Arabia, Iran, and Qatar.
For many years, the world has benefited from information technology advances that have improved the productivity of almost every sector of the energy industry – drilling, pipelines, power generation, and transmission. But we continue to underestimate the dark side of this equation: greater dependence on information technology also increases energy companies’ risks. The most recent Global Risks report by the World Economic Forum and its partners (including our firm Oliver Wyman) ranks cyber-attacks as one of the top 10 risks most likely to cause a global crisis. The World Energy Council, a forum for energy ministers and utilities, considers cyber threats as one of the top five risks to the world’s energy infrastructure.
In response, more than 30 countries – including Germany, Italy, France, the United Kingdom, the United States, Japan, and Canada – have unveiled cybersecurity strategies. Former chief of the United States’ National Security Agency, General Keith Alexander, has commented that countries need something like an integrated air-defense system for the energy sector to keep up with mounting cyber risks. And on 29 June, the Latvian Presidency of the Council of the European Union reached an understanding with the European Parliament on the main principles of what could become a unified directive for the European Union to protect critical infrastructure. But the searing reality is that cyber risks to the energy industry continue to be more serious and the implications farther-reaching than is commonly recognized.
One reason is that the industrial control systems that support energy companies are no longer as sealed off from external threats. Electric utilities depend on automated controls to run their grids, which are managed through interconnected network systems. Oil and gas companies depend on data networks to manage facilities and to interpret seismic developments. Refiners, too, rely on data networks to manage meters and to analyze their customers’ needs. So what can be done? So far, many energy companies have tried to mitigate cybersecurity threats by increasing their spending on information technology (IT) solutions, implementing new IT procedures, and buying more insurance. Since 2012, energy companies with revenues of more than $1bn have increased their cyber limits worldwide by 98%, according to Marsh Global Analytics estimates. Marsh, like Oliver Wyman, is a division of Marsh & McLennan Companies.
While these initiatives are understandable and laudable first steps, much more needs to be done. Above all, energy companies should treat cyber risks as permanent risks to their entire enterprise and not as isolated “information technology” events. Unlike strategic, operational, and financial risks, cyber risks are often mistakenly treated as lower priorities and relegated to information communications and technology departments.
As a result, the true cyber risk exposure of energy companies often goes unnoticed by top management and boards of directors, leaving the companies at higher risk than necessary. Cyber risks are rarely quantified or linked with their potential impact on companies’ financials, making it almost impossible to conduct cost-benefit analyses or to make strategic choices. IT departments introduce new technical solutions with minimal top-level direction. Companies adopt case-by-case reactive measures instead of a balanced portfolio of initiatives that involve their entire organization and align with their overall appetite for risk.
As with other operational risks, companies should set a target level of cyber security for all of its software, hardware, and employees based on their importance to the firm’s overall appetite for risk. The company should then ensure that controls and processes address gaps that are accordingly prioritized, starting with those that are mission critical. For example, a company might first safeguard its billing and customer relationship management systems, since they could put its revenues and reputation at serious risk if corrupted, before addressing risks to video conferencing tools or internal community portals.
At the same time, top managers in the energy industry need to develop a cyber risk management culture to the point that it becomes as second nature to employees as handling high hazard equipment. Cyber risk management goals should be baked into performance targets, incentives, regular reporting, and key executive discussions. When executives evaluate their tolerance for breaches that could impact their company’s reputation or violate health, safety, and environment standards, cyber incidents involving their industrial control systems should be front and center.
Otherwise, like other slow-building risks that people take for granted, ignoring the threat of increasing cyber-attacks could drop unprepared energy companies into the middle of a full-blown energy crisis. This isn’t a threat that is going away. Energy companies need to do the math and start making cyber-security a top priority.
*Sandro Melis is a Milan-based partner and Bernhard Hartmann a Dubai-based partner in the Energy Practice of Oliver Wyman, a global management consulting firm.